Cybersecurity in space

Featured image: The International Space Station, 2011. Credit: gsfc/Flickr, CC BY 2.0

On May 19, 1998, the Galaxy IV satellite shut down unexpectedly in its geostationary orbit. Immediately, most of the pagers in the US stopped working even as the Reuters, CBS and NPR news channels struggled to stay online. The satellite was declared dead a day later but it was many days before the disrupted services could be restored. The problem was found to be an electrical short-circuit onboard.

The effects of a single satellite going offline are such. What if they could be shutdown en masse? The much-discussed consequences would be terrible, which is why satellite manufacturers and operators are constantly devising new safeguards against potential threats.

However, the pace of technological advancements, together with the proliferation of the autonomous channels through which satellites operate, has ensured that operators are constantly but only playing catch-up. There’s no broader vision guiding how affected parties could respond to rapidly evolving threats, especially in a way that constantly protects the interests of stakeholders across borders.

With the advent of low-cost launch options, including from agencies like ISRO, since the 1990s, the use of satellites to prop up critical national infrastructure – including becoming part of the infrastructure themselves – stopped being the exclusive demesne of developed nations. But at the same time, the drop in costs signalled that the future of satellite operations might rest with commercial operators, leaving them to deal with technological capabilities that until then were being handled solely by the defence industry and its attendant legislative controls.

Today, satellites are used for four broad purposes: Earth-observation, meteorology and weather-forecasting; navigation and synchronisation; scientific research and education; and telecommunication. They’ve all contributed to a burgeoning of opportunities on the ground. But in terms of their own security, they’ve become a bloated balloon waiting for the slightest prick to deflate.

How did this happen?

Earlier in September, three Chinese engineers were able to hack into two Tesla electric-cars from 19 km away. They were able to move the seats and mirrors and, worse, control the brakes. Fortunately, it was a controlled hack conducted with Tesla’s cooperation and after which the engineers reported the vulnerabilities they’d found to Tesla.

The white-hat attack demonstrated a paradigm: that physical access to an internet-enabled object was no longer necessary to mess with it. Its corollary was that physical separation between an attacker and the target no longer guaranteed safety. In this sense, satellites occupy the pinnacle of our thinking about the inadequacy of physical separation; we tend to leave them out of discussions on safety because satellites are so far away.

It’s in recognition of this paradigm that we need to formulate a multilateral response that ensures minimal service disruption and the protection of stakeholder interests at all times in the event of an attack, according to a new report published by Chatham House. It suggests:

Development of a flexible, multilateral space and cybersecurity regime is urgently required. International cooperation will be crucial, but highly regulated action led by government or similar institutions is likely to be too slow to enable an effective response to space-based cyberthreats. Instead, a lightly regulated approach developing industry-led standards, particularly on collaboration, risk assessment, knowledge exchange and innovation, will better promote agility and effective threat responses.

Then again, how much cybersecurity do satellites need really?

Because when we speak about cyber anything, our thoughts hardly venture out to include our space-borne assets. When we speak about cyber-warfare, we imagine some hackers at their laptops targeting servers on some other part of the world – but a part of the world, surely, and not a place floating above it. However, given how satellites are becoming space-borne proxies for state authority, they do need to be treated as significant space-borne liabilities as well. There’s even precedence: In November 2014, an NOAA satellite was hacked by Chinese actors with minor consequences. But in the process, the attack revealed major vulnerabilities that the NOAA rushed to patch.

So the better question would be: What kinds of protection do satellites need against cyber-threats? To begin with, hackers have been able to jam communications and replace legitimate signals with false ones (called spoofing). They’ve also been able to invade satellites’ SCADA systems, introduce viruses to trip up software and,  pull DOS attacks. The introduction of micro- and nanosatellites has also provided hackers with an easier conduit into larger networks.

Another kind of protection that could be useful is from the unavoidable tardiness with which governments and international coalitions react to cyber-warfare, often due to over-regulation. The report states, “Too centralised an approach would give the illicit actors, who are generally unencumbered by process or legislative frameworks, an unassailable advantage simply because their response and decision-making time is more flexible and faster than that of their legitimate opponents.”

Do read the full report for an interesting discussion of the role cybersecurity plays in the satellite services sector. It’s worth your time.